PCI's Post-Audit Pain Points

Passed your first PCI compliance audit? You've only just begun! Veterans say ongoing challenges with log management, database encryption and upper management buy-in mean the task is never finished

Those who thought their PCI security challenges would be over after the first passing compliance audit say they continue to be dogged by the same problems that caused pain in the beginning.

For Jennifer Atwell, point-of-sale and communication support manager at Apple Gold Group, log management continues to be a pesky nuisance.

"Log management, while necessary, has turned out to be the biggest issue for us," says Atwell, who is based in the Raleigh-Durham, North Carolina area. "Partnering with a good vendor helps, but when you're starting from scratch, it's a big project."

Legacy applications continue to challenge PCI security at Lifestyle Services Group, according to Jim Griffiths, the company's UK-based information security and compliance chief. And at the National Bank of Kuwait, Information Security Officer Imran Minhas continues to be challenged by the task of database encryption.

"Database encryption is turning out to be a huge project in itself," Minhas says. "A place where no cardholder data is encrypted at all, all of a sudden has to encrypt almost every one of its databases. It's a bit hard to get everyone to prioritize this project to everything else. Upper management is good with it, but it comes down to the people who are going to implement the solutions."

But for the vast majority of security pros surveyed by CSOonline in recent weeks, the biggest problem is upper management.

The top brass may be fully supportive during that initial PCI security effort. But once that first audit is complete and the company gets a passing grade, the executives assume the task is done. Instead, security pros have found that the work is never done.

"Everyone, especially senior management, thinks that if we pass a PCI audit then we are safe for a year," says one network security administrator for a company in New York City, who asked that his name not be used because he was not authorized by his company to speak on the issue. "There's a perception that PCI-compliant shops are perfect."

The upper management problem

Others polled by CSOonline reported running into the same wall he spoke of. Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles, says he has seen the problem up close.

"Having worked on two PCI projects, the biggest challenge is typically management's view, 'Well, were compliant, so we're done.'" He says. "Some parts of management understand the 'why' of PCI, but don't understand overall risk management. Maintaining attention after the fact is the biggest challenge."

Serg Anishchenko, the technical manager at a company in Hungary, offered a "funny" example of how clueless upper management can be:

"They were sure I would be able to fix the system alone in couple of weeks," he says of the top brass at his company. "Another challenge is working out a roadmap to find the easiest way to get compliant and stay that way for the longest period of time."

Tim Holman, senior consultant at QCC Information Security Ltd. in the UK, says PCI security is still generally being seen as an IT security project, lacking buy-in from senior management, which "leads to all sorts of fun and games." Taking credit card payments is rarely seen as a risk at the board level.

Documentation, please

The second-biggest ongoing challenge security pros mentioned is log management and documentation. Auditors rabidly digest those logs during audits, and they are a critical tool for spotting security holes and attempted breaches. Unfortunately, good log management isn't an easy process to maintain.

"My experience with PCI DSS compliance showed that documentation is a problem. Merchants could have good security installations, but it's a problem to write policy for change management procedures," says Dmitriy Tsygankov, director of the corporate customer care center at Swedbank in Ukraine. "It's not difficult to change IP tables or to buy a new server, but it's much more difficult to use and control all procedures" once they are in place, according the documentation procedures.

Survival tips

Blander says there are a host of other PCI challenges companies continue to wrestle with. For one thing, he says, the sheer scope of remediation can be overwhelming, given that the standards are so broad. "For a retailer that means all stores (typically in the many hundreds)," he says. "The sheer cost of addressing that large a scope is a factor given the current state of retail. This doesn't make the standards bad, just a challenge to tightening budgets and limited resources."

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

"File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency," he says, noting that's good for business as a whole.

Griffiths has experienced many of the challenges listed above. But he remains confident in his organization's ability to do right by PCI security.

"None of the pain points are insurmountable," he says. "PCI is either a logical extension of current security practices or a huge undertaking in organizations with little or no security appetite."

The most important ingredient for any organization dealing with PCI security, security experts generally agree, is the security appetite Griffiths mentions.

PCI DSS: THE NEXT PHASE The PCI Security Council recently released the latest version of its data security standard. CSOonline marks the occasion by asking companies where they continue to struggle in the battle for security and compliance, and what lies ahead.

About this series:



Copyright © 2008 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)